Your message dated Mon, 26 May 2025 13:23:11 +0000
with message-id <e1ujxnl-002zkp...@respighi.debian.org>
and subject line unblock freerdp3
has caused the Debian Bug report #1106571,
regarding unblock: freerdp3/3.15.0+dfsg-2.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1106571: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106571
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: unblock
please unblock freerdp3/3.15.0+dfsg-2.1:
* cherry-pick of upstreams fix to a denial of service-issue that can
be triggered by sending specially crafted RDP packages
[CVE-2025-4478] (#1105917)
https://github.com/FreeRDP/FreeRDP/pull/11573/commits
* debdiff is attached.
Regards,
Danieldiff -Nru freerdp3-3.15.0+dfsg/debian/changelog freerdp3-3.15.0+dfsg/debian/changelog
--- freerdp3-3.15.0+dfsg/debian/changelog 2025-04-24 09:18:41.000000000 +0000
+++ freerdp3-3.15.0+dfsg/debian/changelog 2025-05-26 12:38:19.000000000 +0000
@@ -1,3 +1,14 @@
+freerdp3 (3.15.0+dfsg-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Cherry-picking patch from upstream:
+ - A flaw was found where a crafted RDP packet could trigger a segmentation
+ fault. This causes FreeRDP to crash and remain defunct, resulting in a
+ denial of service. Initializing function pointers in transport.c after
+ resource allocation fixes this [CVE-2025-4478] (Closes: #1105917).
+
+ -- Daniel Baumann <dan...@debian.org> Mon, 26 May 2025 14:38:19 +0200
+
freerdp3 (3.15.0+dfsg-2) unstable; urgency=medium
[ Bernhard Miklautz ]
diff -Nru freerdp3-3.15.0+dfsg/debian/patches/CVE-2025-4478.patch freerdp3-3.15.0+dfsg/debian/patches/CVE-2025-4478.patch
--- freerdp3-3.15.0+dfsg/debian/patches/CVE-2025-4478.patch 1970-01-01 00:00:00.000000000 +0000
+++ freerdp3-3.15.0+dfsg/debian/patches/CVE-2025-4478.patch 2025-05-26 12:38:19.000000000 +0000
@@ -0,0 +1,61 @@
+From a4bb702aa62e4fad91ca99142de075265555ec18 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jonas=20=C3=85dahl?= <jad...@gmail.com>
+Date: Tue, 13 May 2025 10:34:08 +0200
+Subject: [PATCH] transport: Initialize function pointers after resource
+ allocation
+
+The transport instance is freed when an error occurs.
+If the TransportDisconnect function pointer is initialized it
+causes SIGSEGV during free.
+
+CVE: CVE-2025-4478
+---
+ libfreerdp/core/transport.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/libfreerdp/core/transport.c b/libfreerdp/core/transport.c
+index d199c31be4a5..2ca146f65133 100644
+--- a/libfreerdp/core/transport.c
++++ b/libfreerdp/core/transport.c
+@@ -1646,20 +1646,6 @@ rdpTransport* transport_new(rdpContext* context)
+ if (!transport->log)
+ goto fail;
+
+- // transport->io.DataHandler = transport_data_handler;
+- transport->io.TCPConnect = freerdp_tcp_default_connect;
+- transport->io.TLSConnect = transport_default_connect_tls;
+- transport->io.TLSAccept = transport_default_accept_tls;
+- transport->io.TransportAttach = transport_default_attach;
+- transport->io.TransportDisconnect = transport_default_disconnect;
+- transport->io.ReadPdu = transport_default_read_pdu;
+- transport->io.WritePdu = transport_default_write;
+- transport->io.ReadBytes = transport_read_layer;
+- transport->io.GetPublicKey = transport_default_get_public_key;
+- transport->io.SetBlockingMode = transport_default_set_blocking_mode;
+- transport->io.ConnectLayer = transport_default_connect_layer;
+- transport->io.AttachLayer = transport_default_attach_layer;
+-
+ transport->context = context;
+ transport->ReceivePool = StreamPool_New(TRUE, BUFFER_SIZE);
+
+@@ -1698,6 +1684,20 @@ rdpTransport* transport_new(rdpContext* context)
+ if (!InitializeCriticalSectionAndSpinCount(&(transport->WriteLock), 4000))
+ goto fail;
+
++ // transport->io.DataHandler = transport_data_handler;
++ transport->io.TCPConnect = freerdp_tcp_default_connect;
++ transport->io.TLSConnect = transport_default_connect_tls;
++ transport->io.TLSAccept = transport_default_accept_tls;
++ transport->io.TransportAttach = transport_default_attach;
++ transport->io.TransportDisconnect = transport_default_disconnect;
++ transport->io.ReadPdu = transport_default_read_pdu;
++ transport->io.WritePdu = transport_default_write;
++ transport->io.ReadBytes = transport_read_layer;
++ transport->io.GetPublicKey = transport_default_get_public_key;
++ transport->io.SetBlockingMode = transport_default_set_blocking_mode;
++ transport->io.ConnectLayer = transport_default_connect_layer;
++ transport->io.AttachLayer = transport_default_attach_layer;
++
+ return transport;
+ fail:
+ WINPR_PRAGMA_DIAG_PUSH
diff -Nru freerdp3-3.15.0+dfsg/debian/patches/series freerdp3-3.15.0+dfsg/debian/patches/series
--- freerdp3-3.15.0+dfsg/debian/patches/series 2025-04-24 09:00:49.000000000 +0000
+++ freerdp3-3.15.0+dfsg/debian/patches/series 2025-05-26 12:32:22.000000000 +0000
@@ -9,3 +9,4 @@
winpr-sysinfo-use-a-single-clock-to-provide-System-a.patch
fix-resources-remove-MimeType-from-desktop-file.patch
gcc-fix-server-side-connection-with-multiple-monitor.patch
+CVE-2025-4478.patch
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
